< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27404 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT [DRAFT]
Abstract
“This document defines a Universal Cybersecurity Labelling Framework for the development and implementation of cybersecurity labelling programmes for consumer IoT products.” [Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]
Introduction
Although cybersecurity is seldom promoted as a feature of consumer-oriented IoT devices (things), it can be important. Inconsistent and unclear cybersecurity labelling does not help consumers appreciate their security and privacy objectives, nor evaluate and select things accordingly. Standardising the cybersecurity labelling of things is intended to improve consistency across the global market, increase consumer awareness and promote better cybersecurity designs.
Scope of the standard
The standard concerns consumer-grade (retail) IoT things - as opposed to business, industrial, engineering, medical, scientific or mil-spec things.
It covers cybersecurity and privacy but excludes safety aspects.
Content of the standard
The main sections are:
- Overview
- International alignment
- Components and considerations for labelling framework
- Label issue and maintenance
Annex A - types and features of labels
Annex B - examples of multi-level labelling schemes
Annex C - examples of binary labelling schemes
Annex D - determination of equivalency between labelling schemes
Annex E - cybersecurity baseline examples
Annex F - secure-by-design examples
Annex G - privacy assessment examples
Status
Drafting started in 2022.
The standard is at Draft International Standard stage and should surface in 2025.
Personal comments
Singapore standard TR 91:2021 Cybersecurity labelling for consumer IoT formed the original basis for this standard, with editorial changes to suit the more formal ISO/IEC style.
< Previous standard ^ Up a level ^ Next standard >
|